Originally from: https://github.com/DrWhax/truecrypt-archive ## Verifying the integrity There are four keyfiles that the TrueCrypt developers have released. 1. `TrueCrypt_Team_PGP_public_key.asc` * This is the first key, used only for version 1.0 and 1.0a. * pgpdump: `Public key creation time - Mon Jan 26 21:02:14 CET 2004` 2. `TrueCrypt_Foundation_PGP_public_key.asc` * This key has been used for version 2.0 and later. * pgpdump: `Public key creation time - Sun Jun 6 11:13:17 CEST 2004` 3. `TrueCrypt-Foundation-Public-Key.asc` * This key has the same fingerprint as the previous key, but pgpdump reveals that it is composed differently. * Both Foundation keys can verify the same files. * Same creation time as the previous key, but the date `Tue Mar 20 22:52:24 CET 2007` can be seen in pgpdump output. Presumably this is when this file was released (the day after 4.3 was released). 4. `TrueCrypt-key.asc` * This file was released with version 7.2. It is actually identical with `TrueCrypt-Foundation-Public-Key.asc`. * It was most likely renamed to avoid attention to the _Foundation_, so that people would focus on the message that was released along with 7.2, and not the authors. I am not a cryptography expert, so I do not know the significance the second Foundation key presents. It is evident however, that the TrueCrypt developers have difficulty deciding what they want to call themselves and what email address they use. 1. `TrueCrypt Team ` 2. `TrueCrypt Foundation ` 3. `TrueCrypt Foundation ` This is all very interesting, but let's get on to verifying the signature files. ### Verifying the keyfile You can get the fingerprint of a keyfile by running: ``` $ gpg --with-fingerprint TrueCrypt-Foundation-Public-Key.asc pub 1024D/F0D6B1E0 2004-06-06 TrueCrypt Foundation Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0 sub 4077g/6B136ECF 2004-06-06 ``` You can then go to a public key website, e.g. [pgp.mit.edu](https://pgp.mit.edu/), and verify that this is actually an authentic keyfile. Alternatively, and probably a better practice, you can import the keyfiles from the public key server. ### Importing keys ``` gpg --import TrueCrypt_Team_PGP_public_key.asc TrueCrypt-Foundation-Public-Key.asc ``` You can import `TrueCrypt_Foundation_PGP_public_key.asc` too, if you'd like. Alternatively, you can import the keys from a key server directly (via HKP protocol), using the id from the keyfile you verified previously: ``` $ gpg --keyserver pgp.mit.edu --recv-keys 0xF0D6B1E0 gpg: requesting key F0D6B1E0 from hkp server pgp.mit.edu gpg: key F0D6B1E0: public key "TrueCrypt Foundation " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 ``` ### Trust the keys ``` gpg --edit-key "TrueCrypt Team" trust quit gpg --edit-key "TrueCrypt Foundation" trust quit ``` Select option 5, _I trust ultimately_. ### Verify the files #### Mac/Linux I made a bash script, like so: ``` #!/bin/bash for f in *.sig do echo "Verifying '$f'" gpg --verify "$f" echo done ``` 1. Save as `~/verify-sigs.sh` 2. `chmod +x ~/verify-sigs.sh` 3. `cd truecrypt-archive` 4. Just run `~/verify-sigs.sh` to verify all files. 5. Run `~/verify-sigs.sh &>verification.txt` to save the output to file. If you want a one-liner, you can try this:: ``` $ gpg --status-fd 1 --verify-files *.sig ``` #### Windows If you are using Windows, the easiest way to get gpg is by downloading [Gpg4win](http://gpg4win.org/download.html) (Vanilla version is enough), and then adding `C:\Program Files (x86)\GNU\GnuPG\pub` to your `PATH`. You can use this bat script: ``` @echo off for %%f in (*.sig) do ( echo Verifying '%%~nf' gpg --verify "%%f" echo. ) ``` Save it as `verify-sigs.bat` and put it in `PATH`, e.g. the Windows directory. It can also be useful to associate .sig files with this bat script: ``` @echo off echo Verifying '%~n1' echo. gpg --verify %1 echo. pause ``` Save it as `verify-sig.bat` and associate .sig files with it. Then simply double-click a .sig file to verify it. ### Delete keys ``` gpg --delete-key TrueCrypt ``` Repeat until all keys are gone.